Deploy the NeuVector Service on Kubernetes from the IBM Cloud Catalog

4 min read

Step-by-step instructions to integrate NeuVector with the IBM Cloud Kubernetes Service to provide complete runtime container security.

Container technology makes it easy to deploy applications in the cloud, and Kubernetes is one of the popular choices for deploying containerized applications. But in this new and ever-changing container and microservices world, container security is critical. Vulnerabilities in applications residing within a container can be exploited if the right protections are not in place. This tutorial demonstrates how NeuVector integrates with the IBM Cloud Kubernetes Service to provide complete runtime container security for your production Kubernetes workloads.

NeuVector is a cloud-native container firewall for monitoring and protecting Kubernetes container deployments in production. The NeuVector solution is comprised of security containers that can be deployed on each node — like how you deploy your applications using Kubernetes. For evaluation purposes, NeuVector makes an Allinone container and an Enforcer container available.

Prerequisites

Steps

Step 1: Create a Kubernetes cluster in IBM Cloud

  1. Log into your IBM Cloud account. Select Kubernetes from the Navigation Menu.
  2. On the Kubernetes Overview page, select Create a Cluster.
  3. To create a cluster, set the following parameters:
    • Select Standard from the list of pricing plans.
    • Within the Orchestration services section, select the most current version of Kubernetes (if you are presented with a choice).
    • If you are offered Infrastructure options, choose Classic.
    • If you are offered Location choices, keep the default options that are prefilled.
    • If you are offered Worker pool choices to set up the number of worker nodes for your workload, leave it at the default number (this can be resized.)
    • Within the Resource details section, enter a name for your cluster.
    • In the Summary pane, review the order summary and then click Create.
  4. Worker nodes can take a few minutes to provision, but you can see the progress in the Worker nodes tab. When the status reaches Ready, you can start working with your cluster. See the Getting started with IBM Cloud Kubernetes Service documentation for more details about cluster creation.

You can also create a cluster from the command line by using the following IBM Cloud CLI command:

ibmcloud ks cluster create classic --name my_cluster

Step 2: Access the Kubernetes cluster

Now that the cluster is provisioned, you can access it from the IBM Cloud CLI tool that you downloaded in the Prerequisites.

Go to IBM Cloud Dashboard, click on Clusters under the Resource Summary section, then click on the name of the cluster that you created in Step 1. Then click on Actions > Connect via CLI, as shown below:

Go to IBM Cloud Dashboard, click on Clusters under the Resource Summary section, then click on the name of the cluster that you created in Step 1. Then click on Actions > Connect via CLI, as shown below:

It will list the instructions to be performed:

It will list the instructions to be performed:

Follow the instructions on the terminal to do the following:

  • Log into your cluster.
  • Set the Kubernetes context to your cluster.
  • Verify that you can connect to your cluster.

Step 3: Deploy NeuVector onto your Kubernetes cluster

3.1: Create a NeuVector service instance using IBM Cloud

Create an instance of NeuVector Container Security Platform using the IBM Cloud Catalog:

Create an instance of NeuVector Container Security Platform using the IBM Cloud Catalog:

Provide the name of the service of your choice and click on Create.

Once the service is created, go to IBM Cloud Dashboard > Resource Summary section > Services and Softwares and click on the name of the NeuVector service created. It will take you the page to manage the NeuVector service instance:

Go to the Deployment section. The steps mentioned under Deploying the NeuVector Platform on an IBM Cloud IKS cluster need to be executed. It asks you to download two configuration files inclusing secret manifest and helm values. Please download those in the current working directory and copy the below steps in one bash script and execute all the steps in one go using the script:

Please download those in the current working directory and copy the below steps in one bash script and execute all the steps in one go using the script:

Note: Please replace the IC_IKS_CLUSTER_ID value in below script with your cluster ID. To get your cluster ID, you can use the command ibmcloud ks cluster ls |grep <cluster-name>.

# To get your cluster ID
#ibmcloud ks cluster ls |grep <cluster-name>

# Set IKS cluster id (e.g. c1cd1i4xxxj1v6g)
IC_IKS_CLUSTER_ID=c1cd1i4xxxj1v6g

ibmcloud ks cluster config --admin --cluster $IC_IKS_CLUSTER_ID

IC_IKS_INGRESS_DOMAIN=$(ibmcloud ks cluster get --cluster $IC_IKS_CLUSTER_ID --json | python -c "import json,sys;obj=json.load(sys.stdin);print((obj['ingress']['hostname'] if 'ingress' in obj and 'hostname' in obj['ingress'] else (obj['ingressHostname'] if 'ingressHostname' in obj else '')));")
echo $IC_IKS_INGRESS_DOMAIN

IC_IKS_INGRESS_SECRET_NAME=$(ibmcloud ks cluster get --cluster $IC_IKS_CLUSTER_ID --json | python -c "import json,sys;obj=json.load(sys.stdin);print((obj['ingress']['secretName'] if 'ingress' in obj and 'secretName' in obj['ingress'] else (obj['ingressSecretName'] if 'ingressSecretName' in obj else '')));")
echo $IC_IKS_INGRESS_SECRET_NAME

kubectl config current-context
kubectl get pod --all-namespaces

kubectl create namespace neuvector

kubectl apply -n neuvector -f ./neuvector-secret-registry.yaml

NV_VERSION=4.2.2

helm install \
    'neuvector-core' \
    'core' \
    --repo 'https://neuvector.github.io/neuvector-helm/' \
    --namespace neuvector \
    --values ./neuvector-helm.yaml \
    --set "manager.ingress.host=neuvector.${IC_IKS_INGRESS_DOMAIN}" \
    --set "manager.ingress.secretName=${IC_IKS_INGRESS_SECRET_NAME}" \
    --set "tag=${NV_VERSION}" \
    --atomic –wait

After successful execution of all steps, it will give you URL to access NeuVector WebUI as https://neuvector.${IC_IKS_INGRESS_DOMAIN}.

3.2: Apply NeuVector license

Access the URL provided after successful deployment and login to NeuVector using default credentials admin/admin:

  • Accept the End User license agreement. Click on Accept.
  • You will see the following in bottom-right corner:
    You will see the following in bottom-right corner:
  • You can click on it to change the password. It will take you to the Profile Settings. Click on Edit Profile. Provide the current password and new password, then click Save.
  • Login again with new password.
  • Next is to add license key. Navigate to the License section as shown below and copy the license key:
    •	Next is to add license key. Navigate to the License section as shown below and copy the license key:
  • Login to NeuVector and navigate to Settings > License. Paste the copied license key in the License Code box and click Activate.

Now you are all set to use NeuVector with your IBM Cloud Kubernetes Service Cluster.

Summary

The IBM Cloud Kubernetes Service makes it easy to set up a Kubernetes cluster to host your containerized applications. When running such applications in production, security is required to ensure that the applications are safe and communicating properly. NeuVector provides that runtime security in any cloud environment, providing a Layer 7 firewall, host and container processes monitoring, and vulnerability scanning solution. You can request a demo and access to the download by contacting NeuVector at info@neuvector.com.

Be the first to hear about news, product updates, and innovation from IBM Cloud